Hackers Attack Medical Equipment

masquap said:
I'm happy for anyone to come along and say 'I'm a doctor and I'll gladly give up my million dollar home, my Audi, my wife's BMW and drinking habit, and private school for my 2 children' or 'I'm a consumer and security of our environment is my number one priority, please put my bills up by 7 times to ensure Microsoft can harvest all my information', but as that's not going to happen in a capitalist society, so you're going to have to buckle up and have this keep happening
Click to expand...

Eh, doctors only live lavishly because no one wants their doc to be the one the from the poor side of town, driving a half dead Pinto and reeks of BO. Kinda like how you never see a construction foreman driving a sporty coupe to their work sites; people typically live to the expectations of their clients so that they continue to have clients.

But really, the major problem from my experience is that nobody wants to risk breaking medical equipment. Once everything is working, the rule is to not touch it, putting an X-ray or MRI machine out of business for even a day not only costs serious amounts of money but it also puts patients at risk and further backlogs an already over used resource.
 
masquap said:
The interesting thing with this is there's no simple fix for this and blaming IT or even companies for these things occuring is being naive and simplistic. As an administrator who works in the energy industry I look after our entire control and monitoring system which is run on Windows XP and Server 2003 (unpatched) or worse and I can tell you it's endemic to capitalism and nothing to do with specific people or companies. When you talk about replacing the OS, we're not talking about just doing a RAM upgrade and format and reinstall, or heading down to Best Buy to pick up a new $300 laptop just because Microsoft wants to slap some more telemetry in thier OS, we're talking about a million dollars per DEA because the control cards are ISA or don't have drivers for anything newer than a 15 year OS. Hell I've just built half a dozen 486DX4-100 machines that run our turbines out of spares so we can keep running and not spending 10 million each to replace. The amount of sleep I loose trying to hold our environment together with spit and twigs so that a customer doesn't go somewhere else to save $1 a day can't even be counted.

My question is this; are you willing to pay 10 times more on your power bill so that Microsoft can put a bunch of bullshit telemetry and Candy Crush on every workstation, or have Linux with the tiny pool of support people pushing pay rates through the roof on demand (specifically if you aren't a Linux admin ;) ).

As for not connecting things to the internet, there are a massive range of issues with that, we have a network spread over thousands of miles and the cost to run private microwave connections over less than a dozen sizes is insane, let alone the dozens and dozens of remote locations currently serviced by cellular and satellite, we also don't have the funds to put an IT person at every site to support the system or drive out to each size (which could be 1000+ miles away), so remote admin is the only feasible option.

I'm happy for anyone to come along and say 'I'm a doctor and I'll gladly give up my million dollar home, my Audi, my wife's BMW and drinking habit, and private school for my 2 children' or 'I'm a consumer and security of our environment is my number one priority, please put my bills up by 7 times to ensure Microsoft can harvest all my information', but as that's not going to happen in a capitalist society, so you're going to have to buckle up and have this keep happening
Click to expand...

1000x this. I still get equipment with Windows CE6 on it ffs. There is so much string and bailing wire holding shit together it's ridiculous. That said, anything that can be converted to Linux is being converted to cut down on the nonsense.
 
"The Kwampirs malware was found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines" I interpret the article as they are targeting healthcare. Probably straight up email based attacks, or IP ranges and the malware traversed to other machines that happen to be X-ray or MRI. This is 100% on the IT org.

This is also basically an advertorial for symantec so take the implied scope of terror with a grain of salt.
 
What a bunch of wasters, I hope one day they need an MRI scan themselves and get their brains fried by their own worm/virus !!!
 
masquap said:
Hell I've just built half a dozen 486DX4-100 machines that run our turbines out of spares so we can keep running
Click to expand...


while it has been some time now, a major TV network had some of their main SaT dishes being controlled by.. OS/2

haha
 
MrGuvernment said:
How about the machines are not accessible from the internet....
How about the makers of said machines do some QA and hire external companies to test their shit insecure software?

Sure, this is a dick move by hackers... but lets also blame the makers of said devices for being so lax and hospitals for not securing their systems which we are seeing over and over and over get exploited..
Click to expand...

I do hold the manufacturers at fault, but federal regulations are much of the issue also.

Current laws strongly encourage and practically mandate online systems for patient records. Air gapping them is practically illegal in implementation.

Also, as other pointed out, this tech takes so long to pass government fortifications to "make sure it's right and safe" it takes forever to do upgrades.
 
I used to install patient monitoring equipment and networks. I can confirm the security on these systems is absolutely abysmal. Literally the only thing I had real control over unless the hospital refused to use ours was the firewall. Past that, no control and security was an absolute joke.
 
maclem8223 said:
No it sure isn't
Click to expand...

Yep, it does sucks. Everyone thinks you're an idiot because 99% of people don't understand how tied our hands are between governmental regulations, the vendors generally being morons, costs for upgrades, and the fact Hospitals are seeing less reimbursments. Its a total shit show.
 
It frightens me but I know it isn't a matter of if but when we have another Therac-25 situation. I think the next time around won't be a code flaw but rather malicious intent.
 
bsbllclown said:
Yep, it does sucks. Everyone thinks you're an idiot because 99% of people don't understand how tied our hands are between governmental regulations, the vendors generally being morons, costs for upgrades, and the fact Hospitals are seeing less reimbursments. Its a total shit show.
Click to expand...
Who are you...:cautious: Sounds eerily like my place of employment lol
 
Yeah if I was a hacker of an MRI machine there would be a lot of people finding cancers of the brain that are shaped like dicks.
 
mord said:
I do hold the manufacturers at fault, but federal regulations are much of the issue also.

Current laws strongly encourage and practically mandate online systems for patient records. Air gapping them is practically illegal in implementation.

Also, as other pointed out, this tech takes so long to pass government fortifications to "make sure it's right and safe" it takes forever to do upgrades.
Click to expand...

Understandable, but then also why does the actual machine need to be on the internet or accessible, records/ scans from the machines could be accessed via terminals, which could use a very secure file system transfer that would not be used to exploit the running software, kind of a "outbound' only with the medical devices not accepting any input outside of what it is supposed to do or some form of sandbox seperate from the core functions. This is lazy coding, just look at the IoT world, companies do a half ass job on software because they do not do any real QA.

Sure, easier said than done....but with the results of what could happen with these machines...
 
I absolutly agree with you that would be far safer and should be done.

It's less efficient, and slightly more error prone. It would add system complexity to the machines. They would need to store the records locally for some extended amount of time untill the records are confirmed to have transferred safely to the other system of record. Which would be a manual air gapped procedure which could take days or a week if the receiving system is physically remore.
 
You must log in or register to reply here.
Back
Top